Welcome to my blog, For more information about me, visit my website at http://www.kush.com.fj. This blog is mostly just to keep a track of my ramblings and thoughts, game reviews, and crazy hair-brained ideas, so don't expect to find any profound life altering body of knowledge here...

10/30/2011

Installing OSSEC on Centos 5.7

OSSEC is an open source host-based IDS that performs log analysis, and is able to correlate and analyse logs for a number of Linux (and Windows, but that is outside the scope of this blog post) servers. The software architecture of OSSEC and the use of agents, lends OSSEC to flexible deployment and management [1].

Set-up the Atomic repository that already has the appropriate OSSEC packages and install them would be the easiest way. However I have a strong dislike for the use of the /var partition (most system administrators, hmm... well at-least I have always, set this up as a separate partition for ease of management and security reasons) as an install location, esp. when it has been specified as a "noexec" partition.

Please Note: Firstly, there are a number of dependencies of some of the set-up below, such as Apache, PHP, MySQL, but the installation and secure configuration of these services are beyond the scope of this blog post. Secondly, the configuration below is only to set-up OSSEC as a monitor and not run it in IPS, i.e. as an active response alert handler.

Installation using the repository

wget https://www.atomicorp.com/installers/atomic -O atomic.sh

. ./atomic.sh

yum -y update

yum -y install ossec-hids ossec-hids-server ossec-wui

Installation using the tar ball source

Download, compile and install the source

wget http://www.ossec.net/files/ossec-hids-2.6.tar.gz

tar zxvf ossec-hids-2.6.tar.gz

cd ossec-hids-2.6/src

make clean

make setdb

make all

cd ..

./install.sh

en

local

/opt/ossec

y

user@domain

mx.domain

y

y

n

Setup mysql DB for logging

Grant access to database

mysql -u root -p

grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossecuser@localhost;

set password for ossecuser@localhost=PASSWORD('PASSWD');

quit;

Create database and tables

mysqladmin -u root -p create ossec

mysql -u root -p ossec < src/os_dbd/mysql.schema

Edit the /opt/ossec/etc/ossec.conf file

Check the wiki to setup logging to the database and syslog [2]

Install the Web User Interface, you will need Apache and php

Again, the installation and secure configuration of Apache is beyond the scope of this blog post.

wget http://www.ossec.net/files/ui/ossec-wui-0.3.tar.gz

tar zxvf ossec-wui-0.3.tar.gz

mkdir -p /var/www/html/ossec-wui

cp -rf ./ossec-wui-0.3/* /var/www/html/ossec-wui/

cd /var/www/html/ossec-wui/

./setup.sh

Edit the ossec_conf.php to point to the ossec installation completed in the previous stage

$ossec_dir="/opt/ossec";

Start the OSSEC services

/opt/ossec/bin/ossec-control enable database

/opt/ossec/bin/ossec-control enable client-syslog

/opt/ossec/bin/ossec-control start

Possible Errors:

When executing OSSEC-WUI you may get a page that displays. "Unable to access OSSEC directory". Ensure that the user that your Apache web server runs as, e.g. httpd or apache is added to the ossec group

usermod -a -G ossec apache.

"Unable to retrieve alerts". Ensure that you web server is able to open the alerts file. This issue is two fold, firstly ensure that the web server has permissions to open the file and secondly that the fopen command is enabled in PHP.

safe_mode Off

safe_mode_gid On

These two are no so much error, but warning that will be annoy your syslog server, but depend on your PHP configuration.

PHP Warning: shell_exec() has been disabled for security reasons - This is because of a uname -a query in the /var/www/html/ossec-wui/lib/os_lib_agent.php script;

//$agent_list[$agent_count]{'os'} = `uname -a`;

$agent_list[$agent_count]{'os'} = "Linux";

PHP Warning: fseek() expects parameter 3 to be long - This may be a simple programming error in the /var/www/html/ossec-wui/lib/os_lib_alerts.php